Skip to content

Instantly share code, notes, and snippets.

@sarciszewski

sarciszewski/0x00-README.md

Last active August 29, 2015 14:07
Show Gist options
  • Save sarciszewski/22d29ca5207ebb9d0ca1 to your computer and use it in GitHub Desktop.
Save sarciszewski/22d29ca5207ebb9d0ca1 to your computer and use it in GitHub Desktop.
Download ZIP
A Modest Proposal
Raw
0x00-README.md

Premise

Developers love to fetch data over the network and love to pipe it directly into a language interpreter (e.g. curl http://get.mojolicio.us | sh, curl https://getcomposer.org/installer | php, etc.) and have put forth a great deal of resistance towards efforts to break these habits.

In order to be able to offer developers some security assurance, I have put together this proposal for a free service that will allow developers to obtain a verifiable copy of a program.

Contents

  • 0x00-README.md - You are here!
  • 0x01-workflow.md - Describes the service workflow
  • 0x02-threatmodel.md - Our threat model
  • 0x03-goals.md - Our goals
  • 0x04-implementation.md - Implementation details

Contributing

Comment anywhere, this is still a draft.

Raw
0x01-workflow.md

Workflow

  1. Anonymous users can nominate open source projects for inclusion in our scope by linking to their code repositories (e.g. github)
  2. Someone involved with the project will confirm the deficiency then reach out to the developers to politely request they implement PGP code signing and serve over HTTPS.
  3. We will independently rebuild their package and publish:
  • something-v1.0.1-something.tar.gz
    • Their package
    • Our package
    • The build script that produced our package, if applicable
    • A diff between the two packages
  • something-v1.0.1-something.tar.gz.asc
  1. A rotating monthly PGP key will be generated. All of our .tar.gz and .tar.gz.asc deliverables will be signed with the rotating key to ensure old versions are not continually delivered to end users. We will sign the minthly keys and publish our signatures in a Merkle hash tree (and/or the blockchain) and encourage other services and users to host mirrors to detect tampering.
  2. Uses can manually download, verify, etc. our deliverables using standard GNU/Linux and BSD tools. Eventually, we would like to produce a CLI interface (e.g. swget) that would facilitate the downloading and verification but -- unlike package managers -- do not directly install anything.

All downloads will be delivered over HTTPS or a Tor Hidden Service

Raw
0x03-goals.md

Our goals with this project should be as follows:

  1. Encourage developers to sign their own packages with their own key. Otherwise, anyone who uses our service directly has to trust us not to do anything malicious.
  2. Provide an alternate means for users who want to use a product that does not provide PGP signatures a means to do so until the maintainers' habits can be addressed.
  3. Encourage developers to make their builds reproducible. (This is why a diff is included in our deliverable.)
  4. Make everything (except our private keys) auditable, transparent, public, and deterministic.

See also: https://defuse.ca/triangle-of-secure-code-delivery.htm

Present Situation

root@box~# curl http://untrusted | sh
Doom!

Future

unpriv@box~$ swget https://somedomain.tld/somevendor/
Downloaded.
Verified.
View the diff? (Y/n) _
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment